b'           U.S. Department of\n                                                                    Memorandum\n           Transportation\n           Office of the Secretary\n           of Transportation\n           Office of Inspector General\n\n\nSubject:   ACTION: Analysis of Loss of Control Over                                             Date:    August 28, 2007\n           Sensitive Personally Identifiable Information and\n           Follow-up Actions to Strengthen its Protection\n\n\n  From:                                                                                      Reply to\n           Theodore P. Alves                                                                 Attn. of:   J-2\n           Associate Deputy Inspector General\n    To:    Inspector General\n\n           This memorandum provides the results of an analysis of two incidents involving\n           the loss of control over Sensitive Personally Identifiable Information (SPII): 1 the\n           July 27, 2006, theft of an Office of Inspector General (OIG) laptop from a special\n           agent\xe2\x80\x99s vehicle in Doral, Florida, and the April 24, 2006, theft of an OIG laptop\n           from a hotel conference room in Orlando, Florida.\n\n           As a result of these two laptop thefts, the OIG lost control over a large amount of\n           SPII. Of particular concern was information on 138,000 individuals that had been\n           collected in connection with Florida-based OIG investigations. Normally, these\n           data would have been encrypted. However, due to a needed system upgrade, the\n           data were not encrypted at the time of these thefts.\n\n           While it does not appear that these two incidents resulted in any identity theft or\n           other damage to the persons who had SPII on the laptops, we felt it was critical to\n           understand the factors and circumstances that led to loss of control over SPII,\n           identify what needed to be done to strengthen the protection of SPII, and ensure\n           that these steps were carried out.\n\n           This memorandum (1) sets forth the circumstances surrounding the loss of SPII as\n           a consequence of the two laptop thefts in Florida; (2) describes the OIG response,\n\n           1\n               SPII consists of the combination of names and other personal information (e.g., addresses, dates of birth, and social\n               security numbers) that can be exploited to falsely obtain credit using another person\xe2\x80\x99s identity. Personally\n               identifiable information (PII) and SPII are often used interchangeably. Technically, a telephone company\xe2\x80\x99s white\n               pages contain PII because the listings identify specific persons and associate their names with a phone number. It is\n               the linking of an individual\xe2\x80\x99s name with information that is not readily publicly available (such as a social security\n               number) and that can be exploited to falsely obtain credit that this report refers to as SPII.\n\x0c                                                                                                                 2\n\n\nincluding efforts to protect the affected individuals; (3) assesses the risk of identity\ntheft created by our loss of control over the SPII; (4) identifies the factors that\ncontributed to losing control of the SPII; and (5) describes and evaluates OIG\nefforts to reduce the likelihood of future loss or improper disclosure of SPII.\n\n\nSUMMARY OF RESULTS\nWe found that our efforts to protect the SPII entrusted to us were insufficient. We\nidentified three vulnerabilities that contributed to the breaches and took steps to\naddress each of the vulnerabilities to prevent any future loss of SPII. We are also\nconfident that, based on the results of our investigation into the thefts and an\nindependent analysis of credit transactions pertaining to the affected individuals,\nthe SPII contained on the laptops has not been and is not likely to be exploited to\nperpetrate identity theft.\n\nWhen the two laptops were stolen, they contained databases with large amounts of\nSPII. Of particular concern was information on 138,000 individuals that had been\ncollected in connection with Florida-based OIG investigations. This information\nwas collected in connection with investigations related to airman certificates\nissued in Florida, commercial driver\xe2\x80\x99s licenses issued in Miami, and commercial\nand individual driver\xe2\x80\x99s licenses issued in the Tampa area. Because the\ninformation on these individuals was stored in Microsoft Access and Microsoft\nExcel files, which are easily accessible file types, these individuals faced an\nincreased risk of identity theft if the laptop thieves tried to exploit the data\ncontained on these laptops.\n\nAlthough the laptops were protected by password authentication that met National\nInstitute of Standards and Technology (NIST) requirements, the data files, which\nhad been encrypted, were decrypted 2 at the time of the theft. This decryption took\nplace to allow a needed upgrade of the OIG computer infrastructure. Because the\ndata files were decrypted, the SPII on the laptops was more vulnerable to improper\ndisclosure. Although defeating the password is fairly difficult, there are readily\navailable programs that allow a user to reset a Windows password; if the password\nwere reset, the user would have access to all unencrypted data. 3\n\nWe believe that both laptops were probably stolen for the value of the computers,\nrather than for the data they contained. As noted in the guidance developed by the\n\n2\n    There was no encryption requirement at the time of the thefts. Following the May 2006 theft of an external hard\n    drive containing personal information on 26 million veterans from the home of a Veterans Affairs employee, the\n    Office of Management and Budget mandated that all agency data stored on mobile computer/devices be encrypted\n    by August 7, 2006, unless the data were determined, in writing, to be non-sensitive.\n3\n    Using such a program would not give the user access to encrypted data\xe2\x80\x94encrypted data would be rendered\n    unreadable by resetting the password in this manner.\n\x0c                                                                                                                            3\n\n\nPresident\xe2\x80\x99s Identity Theft Task Force 4 (ITTF guidance): \xe2\x80\x9cThe risk of identity theft\nis lower when the control over the data is lost as a result of the theft of a computer\nthat is inadvertently left unprotected in a public location.\xe2\x80\x9d This is consistent with\nthe results of our investigation into the Doral theft. As part of this investigation we\nplaced a decoy laptop in a vehicle in the same parking lot where the Doral laptop\nwas stolen. We observed an individual 5 break into that vehicle and were able to\narrest that individual and break up a computer theft ring. Interviews of the\nparticipants revealed that they stole laptop computers, reloaded new operating\nsystems and then sold the computers on the used market without attempting to\naccess the data.\n\nIn response to the Doral theft, we took a number of actions to inform the affected\nindividuals. We quickly reviewed backups of the files to identify persons whose\nSPII was stored on the laptop. We then sent letters to those individuals for whom\nwe could find addresses providing information regarding the theft and steps they\ncould take to protect themselves. We also posted this information on our website\nand encouraged persons believing that they might be victims of identity theft to\ncontact our hotline, which is staffed 24 hours a day, 7 days a week.\n\nFurther, we took steps to protect the individuals from harm in the event that the\ndata were exploited. To do this, we hired ID Analytics, a firm that specializes in\nhelping organizations assess risks and minimize harm following a data breach. ID\nAnalytics is monitoring credit activity for the individuals whose SPII was lost to\ndetermine whether identity theft is occurring as a result of the loss of control over\nthese databases. 6 ID Analytics certified that as of August 21, 2007, the date of its\nmost recent analysis, 7 no organized misuse of the databases stored on the stolen\ncomputers has occurred.\n\nIn analyzing how this loss of control over SPII occurred, we identified three\ncontributing factors: (1) measures taken to protect the physical security of the\nlaptops were insufficient; (2) the data on the laptops were decrypted (to preserve\nthe data) during an upgrade to the OIG\xe2\x80\x99s information technology (IT) system; and\n(3) SPII databases were stored on laptop computers, which are inherently less\n\n\n4\n    A September 19, 2006, memorandum setting forth this guidance was circulated by the Office of Management and\n    Budget to the heads of all Federal departments and agencies. This guidance is posted on the internet at:\n    http://www.whitehouse.gov/omb/memoranda/fy2006/task_force_theft_memo.pdf.\n5\n    That individual was convicted of theft of Government property and deported.\n6\n    The ITTF guidance notes that because \xe2\x80\x9capproximately 3.6 percent of the adult population reports itself annually as\n    the victim of some form of identity theft . . . for any large breach, it is statistically predictable that a certain number\n    of the potential victim class will be victims of identity theft through events other than the data security breach in\n    question.\xe2\x80\x9d ID Analytics looks for \xe2\x80\x9corganized misuse\xe2\x80\x9d to distinguish between identity theft related to the breach and\n    identity theft that is the \xe2\x80\x9cnormal by-product of the routine incidence of identity theft.\xe2\x80\x9d\n7\n    Thus far, ID Analytics has provided us with 4 reports. The most recent report was issued on August 21, 2007. ID\n    Analytics will continue to monitor these databases through August 2008.\n\x0c                                                                                                                     4\n\n\nsecure than computers that operate in a centralized environment. Had any one of\nthese factors not existed, the loss of control would not have occurred.\n\nIn response to these incidents, we have taken a number of actions to reduce the\nlikelihood of any future loss of control over SPII. For example, we have:\n\n    \xe2\x80\xa2 Improved laptop physical security by issuing cable locks to all OIG laptop\n      users, issuing policy for properly securing unattended laptops, and\n      implementing guidance developed by the Department of Transportation (DOT)\n      regarding the security of portable computers.\n\n    \xe2\x80\xa2 Enhanced the protection of laptop data by encrypting laptop hard drives and\n      employing a two-factor authentication system, which requires the user to set a\n      password and plug in a small token device to access the laptop.\n\n    \xe2\x80\xa2 Stored sensitive personal information in a more secure fashion by removing all\n      such databases from laptops and either moving them to a more secure OIG\n      network server or deleting them if no longer needed. We will also periodically\n      review sensitive data and remove any that is no longer needed.\n\n    \xe2\x80\xa2 Raised employee sensitivity of the need to protect such information through\n      security training, management web casts, instructional videos, and other\n      guidance.\n\n\nCIRCUMSTANCES SURROUNDING THE THEFT OF LAPTOPS\nCONTAINING SPII\n\nLaptop Stolen in Doral, Florida\nOn Thursday, July 27, 2006, an OIG laptop computer was stolen from an OIG\nvehicle near Miami, Florida. The OIG special agent to whom the laptop was\nassigned was transporting an agent from another Federal law enforcement agency\nand a Federal prosecutor to see various locations related to an open investigation,\nand they stopped for lunch at a restaurant in Doral. The special agent left his\nlaptop in an unzipped case, atop a stack of other equipment in the cargo bay of a\nlocked OIG Chevrolet Blazer. 8\n\nWhile the agents and prosecutor were in the restaurant, a thief used a tool to punch\nin the keyhole on the front passenger door of the vehicle to gain entry and stole the\nOIG laptop, leaving the carrying case behind. No other items were stolen. Upon\n\n8\n    Although the vehicle had tinted windows, a re-creation of the scene determined that the laptop could have been seen\n     from outside the vehicle.\n\x0c                                                                                                                         5\n\n\nreturning to the vehicle, the agent did not notice that the passenger side lock had\nbeen punched out.\n\nLater that day, the agent notified the Assistant Special Agent in Charge (ASAC) of\nthe Miami office that his laptop was missing from its carrying case. He said that\nhe was concerned because he was certain he had the laptop with him when he left\nthe offices of the Florida Department of Law Enforcement (FDLE) that morning.\nWhen the ASAC asked him if the vehicle could have been broken into, he\ninformed her that nothing else was missing and he saw no indication of a break-in,\nsuch as broken glass. The ASAC advised that she would notify the Special Agent\nin Charge (SAC) but suggested that the agent recheck the car and retrace his steps\nat FDLE. The following day, the agent unsuccessfully searched FDLE; over the\nweekend, he also searched his residence and found nothing.\n\nBecause the laptop was not located on Friday (July 28) or over the weekend, on\nMonday morning (July 31), the Miami SAC sent an e-mail to various\nHeadquarters personnel, including the OIG System Security Officer (OIG SSO),\nadvising them that a laptop had been stolen. The SAC also instructed the OIG\nagent to file the required police report with the Miami-Dade Police Department. 9\nBecause the agent was at a loss to explain how the thief gained entry, the Miami\nSAC and the agent examined the vehicle on August 1 and discovered the hole in\nthe passenger door lock.\n\n\nDetermination That Sensitive Personally Identifiable Information Was at\nRisk\nUpon receiving the Miami SAC\xe2\x80\x99s July 31, 2006, e-mail reporting the theft of the\nDoral laptop, the OIG SSO, aware of the requirement to promptly report incidents\ninvolving loss of control over PII, asked whether the stolen laptop contained PII.\nLater that morning, the Miami SAC confirmed that the laptop contained some PII,\nin the form of social security numbers (SSNs) and other personal information\nobtained from interviewees during criminal investigations. 10 The OIG SSO then\nimmediately notified the Department\xe2\x80\x99s Transportation Computer Incident\nResponse Center (TCIRC) that an OIG laptop containing PII had been stolen.\n\nOIG Headquarters was not initially aware, however, that the laptop contained\nlarge databases of SPII collected as part of OIG investigations being conducted by\nthe Miami office. In order to precisely determine the type of information\ncontained on the stolen laptop, the SAC began examining a back-up copy of the\n\n9\n     Although the OIG agent was instructed to file the report on July 31, 2006, the report was not actually filed until noon\n     the next day, August 1, 2006.\n10\n     Collecting this information from persons who are interviewed in the course of criminal investigations is a standard\n     law enforcement practice.\n\x0c                                                                                6\n\n\ndata stored on the stolen laptop. On August 3, 2006, the SAC advised\nInvestigations Headquarters management that her preliminary review identified\ntwo investigative databases that contained SPII, consisting of individuals\xe2\x80\x99 names,\naddresses, and social security numbers. On August 4, 2006, the SAC reported\nadditional databases with similar SPII.\n\nOn August 5, 2006, the Acting Inspector General was informed that the stolen\nlaptop contained large databases of SPII. He immediately ordered the Office of\nInvestigations to remove all such databases from laptop computers and directed an\ninvestigation into the circumstances surrounding the loss of SPII.\n\nThe back-up files were then sent to OIG Headquarters where they were analyzed\nby computer forensic agents. The initial analysis of the back-up files identified\nSPII associated with approximately 133,000 persons, including the following: a\nMicrosoft Access database containing names, SSNs, and addresses for\n42,792 Florida pilots; 3 Microsoft Excel spreadsheets containing names and SSNs\nfor 80,667 Miami-Dade County area commercial driver\xe2\x80\x99s license (CDL) holders;\nnames, SSNs, and addresses for 9,005 individuals who obtained personal driver\xe2\x80\x99s\nlicenses from the Largo, Florida, licensing examining facility near Tampa; and\nnames, SSNs, and addresses for 491 individuals who obtained CDLs from the\nLargo facility.\n\nBy letters dated August 9, 2006, the Acting Inspector General notified Members of\nCongress, the Governor of Florida, and the public that we had lost control over\nSPII belonging to approximately 133,000 persons as a consequence of the theft of\nthe Doral laptop. On that date, the Acting Inspector General also conducted a\ntelephone briefing with congressional staff and another with news media\nrepresentatives.\n\nSubsequent analysis of the back-up files revealed that 6 more Microsoft Excel\nspreadsheets were stored on the stolen Doral laptop, amounting to an additional\n4,250 individuals with SPII not previously reported. These spreadsheets contained\nFlorida airman certificate information used by the OIG\xe2\x80\x99s Miami office in\nconnection with multi-agency task forces focusing on the use of fraudulent\ninformation to obtain airman certificates. Our forensic examination also found\nthat the laptop contained databases received from the Department of Justice (DOJ)\ncontaining preliminary investigative lead information pertaining to, among other\nthings, possible identity fraud by numerous individuals. We provided DOJ with\nan accounting of the DOJ-generated databases that were on the stolen laptop.\n\n\nRe-Examination of the April 2006 Orlando Laptop Theft\nAfter being notified that the Doral laptop contained SPII, the Acting Inspector\nGeneral directed that an earlier laptop theft be re-examined. That laptop, which\n\x0c                                                                                  7\n\n\nhad been assigned to the Miami SAC, was stolen on April 24, 2006, from a hotel\nconference room in Orlando, Florida. At the time of the theft, which was 4 weeks\nbefore the Department of Veterans Affairs (VA) incident was publicly reported,\nwe had treated this matter as a loss of property, rather than a loss of control over\nsensitive information.\n\nThe Orlando laptop was stolen on the first day of a week-long fraud prevention\nconference, which the OIG co-sponsored at a hotel in Orlando. The conference\nwas organized by the Miami SAC, who had loaded the various PowerPoint\npresentations for the conference on her laptop. The laptop was attached to printers\nin a hotel conference room to provide logistical support for the conference.\n\nThe Miami SAC stated that she closed the room (she believed the door to be\nlocked but did not recall checking to make sure that it was locked) and left at\napproximately 8:30 p.m. When she returned 45 minutes later, the conference\nroom was open, the laptop was missing, and a hotel employee was servicing the\nroom. She asked the employee about the laptop, and he stated that it had not been\nin the room when he entered. Hotel security was then notified, and they in turn\nnotified the local police who responded the following day.\n\nAt the time of the theft, the Miami SAC\xe2\x80\x99s main concern was that conference\nspeaker presentations were stored on the laptop. Although the laptop theft was\nreported to OIG senior management, OIG management was not informed that the\nlaptop contained SPII. Consequently, even after the VA incident in May 2006,\nwhen OIG Investigations Headquarters became more aware of SPII issues, the\nOrlando laptop continued to be treated as a property theft, and no attempt was\nmade to determine what information had been stored on the stolen laptop until the\nActing Inspector General\xe2\x80\x99s decision to expand the inquiry following the theft of\nthe Doral laptop.\n\nForensic analysis of the Orlando laptop back-up files revealed that it contained\nsome of the SPII that had been found on the Doral laptop; specifically, information\nfor approximately 9,005 individuals who obtained their personal driver\xe2\x80\x99s license\ninformation from the Largo, Florida, licensing examining facility near Tampa and\napproximately 491 drivers who obtained CDLs from the same Largo facility. It\nalso contained an additional amount of SPII that was not on the Doral laptop,\nwhich consisted of Microsoft Excel spreadsheets containing the information of\n713 individuals related to criminal investigations of designated pilot examiners,\nCDL holders, and airport screeners.\n\x0c                                                                                                                          8\n\n\nOIG EFFORTS TO PROTECT AFFECTED INDIVIDUALS FROM\nIDENTITY THEFT AND TO RECOVER THE STOLEN LAPTOPS\nWe took several steps to protect the affected individuals and recover the stolen\nlaptops. We sent letters to those individuals whose SPII we found in our initial\nreview of the databases contained in the backup of the Doral laptop.\nSubsequently, we awarded a contract to a firm that specializes in monitoring credit\nrecords of groups of individuals affected by a data breach to determine whether\nthe data has been exploited for credit fraud. As of August 21, 2007, that firm has\nreported that no organized misuse of the databases had occurred.\n\nShortly following the Doral laptop theft, we announced a $10,000 reward offer for\ninformation leading to its recovery, placing a notice in local newspapers and\ndistributing reward posters throughout the area. We also conducted a joint\ninvestigation with the Miami-Dade Police Department and the Federal Bureau of\nInvestigation (FBI) in an effort to recover the Doral laptop. Although we were not\nsuccessful in recovering the laptops, our investigation identified a small ring of\ncomputer thieves who stole laptop computers, reloaded new operating systems and\nsold the computers on the used market. One individual was arrested, convicted,\nand deported for theft of Government property.\n\n\nNotification to Persons Who Had SPII on Stolen Laptops\nShortly after we identified 133,000 individuals who had SPII in the databases\nstored on the Doral laptop 11 , we began sending letters to those individuals for\nwhom we could obtain valid addresses. A fact sheet and the letters sent to affected\ncitizens, available in both English and Spanish versions, were also placed on our\nwebsite.\n\nThe letters described the incident and recommended actions that affected\nindividuals could take to protect themselves. Specifically, we suggested that they\ncontact one of the three major credit reporting bureaus to request that an initial\nfraud alert be placed on their credit record and to obtain a free credit report. We\nalso suggested that they monitor bank and credit card statements and contact\nfinancial institutions to check for any suspicious activity on their accounts.\n\n\n11\n     As previously noted, the Office of Management and Budget circulated a September 19, 2006, memorandum from the\n     Identity Task Force that provided guidance for agencies to follow in responding to breaches that could lead to\n     identity theft, and we have followed those guidelines since their issuance. The guidelines ask agencies to evaluate\n     whether any of the information presents a risk of identity theft. Because the Microsoft Access and Excel databases\n     contained names linked to other identifying information and were in readily accessible form, we concluded that they\n     presented a risk of identity theft. This was not true for all personal information on the laptop. For example, we\n     believe that it is unlikely that anyone would search through the investigative reports on the laptop in order to collect\n     a small number of SSNs that special agents collected from interviews.\n\x0c                                                                                                                    9\n\n\nWe advised these individuals to be careful about phone calls, e-mails, and other\ncommunications from individuals purporting to be Government officials and\n\xe2\x80\x9cphishing\xe2\x80\x9d for or asking to verify personal information. We encouraged those\nsuspecting that they might be a victim of identity theft as a result of the laptop\nthefts to contact our hotline. We also placed this information on our website and\nprovided it to trade publications aimed at pilots and commercial truck drivers as\nmost of the affected individuals were in these two groups.\n\nOur hotline received 1,769 telephone calls, 47 e-mails, and 11 letters. 12 We\nresponded with information and instructions on how to request that the major\ncredit reporting bureaus place a fraud alert on their accounts. In instances where\nindividuals believed that they were the potential victim of identity theft, our agents\ninvestigated the particular facts and circumstances. Every individual who\ncontacted the OIG and requested a telephone or e-mail response received a reply.\nWe have found no evidence of any suspected identity theft attributable to the\ndatabases stored on the stolen laptops. While some of these individuals had, in\nfact, been victims of identity theft, we determined that those incidents were\nunrelated to the stolen laptops. 13\n\n\nEfforts To Protect Affected Individuals From Identity Theft\nWe engaged ID Analytics, a San Diego, California, firm that the VA employed\nfollowing two incidents in which it lost control of SPII. 14 ID Analytics will\nmonitor the databases stored on the stolen Doral and Orlando laptops for 2 years\nfor signs that these data are being misused. ID Analytics detects suspicious\npatterns in bank and credit account activity to manage identity risk and prevent all\ntypes of credit fraud, from the opening of new bank and credit card accounts to\ntransaction and collection activity on existing accounts. The firm has developed a\nnetwork that gathers information from applications for credit, changes of address,\nand other identity risk information from companies; this network includes 5 of the\ntop 10 banks in the United States, almost all major wireless carriers, and a leading\nretail credit card issuer. The firm\xe2\x80\x99s technology is designed to flag misuse of credit\ndata, identify individuals whose credit has been misused, and determine the\nlocation of the misuse.\n\nAccording to ID Analytics, the advantages of its method of fraud detection are that\nit identifies organized misuse of data, quickly identifies the intended victims,\nactively and constantly monitors a file of PII data, and identifies the location of the\n\n12\n   As of August 23, 2007.\n13\n   As of August 23, 2007, we have finished investigating 38 of 39 complaints and thus far have not found any evidence\n   of identity theft stemming from the stolen laptops.\n14\n   The first incident involved the theft of an external hard drive and personal laptop from the home of a VA employee.\n   The second incident involved the theft of a computer from a VA contractor.\n\x0c                                                                                                                       10\n\n\nsuspects so law enforcement officers can apprehend them. It can also help\ndetermine whether the data are being used by more than one criminal suspect and\nprovides a deterrent effect when it is publicly announced. As stated previously, no\norganized misuse of the databases that were stored on the stolen OIG laptops has\nbeen detected as of August 21, 2007 (the date of the firm\xe2\x80\x99s most recent analysis).\n\n\nEfforts To Recover the Doral Laptop\nShortly following the theft of the Doral laptop, our Office of Investigations began\ncoordinating with the Miami-Dade Police Department and the FBI to investigate\nthe theft and recover the laptop. 15 As part of this investigation, we examined the\ncircumstances of laptop thefts in the area. 16 This resulted in identifying several\nvehicle burglaries around the restaurant where the OIG laptop had been stolen,\nwhich bore similarities to that theft. Based on that information, our agents\nestablished surveillance in the vicinity. On September 11, 2006, our agents\nobserved two men attempting to break into a \xe2\x80\x9cbait\xe2\x80\x9d vehicle containing a decoy\nlaptop computer, which we parked near the restaurant. They appeared to use a\ntool to punch in the lock keyhole on the front passenger door\xe2\x80\x94the same technique\nused to break into the OIG vehicle on July 27. Although this theft attempt was\nunsuccessful, our agents were able to identify the two men based on follow-up\ninvestigative work.\n\nOn September 19, 2006, our agents observed one of these men breaking into two\nvehicles near the restaurant and removing laptop computers. One of the vehicles\nwas a \xe2\x80\x9cbait\xe2\x80\x9d vehicle containing a decoy laptop provided by the FBI. The other\nwas a private vehicle that contained a Hewlett-Packard laptop belonging to a\nMiami resident. Investigative activity determined that the decoy laptop thief\npassed the laptops to a middleman who took the laptops to the owner of a\ncomputer business in the Miami area. After coordinating with the U.S. Attorney\xe2\x80\x99s\nOffice in Miami, our agents obtained a Federal search warrant for the computer\nbusiness. During the search of this business, agents recovered both the decoy and\nHewlett-Packard laptops.\n\nOn September 21, 2006, Miami-Dade Police arrested the individual who stole the\ndecoy laptop (\xe2\x80\x9cdecoy thief\xe2\x80\x9d). That same day, our agents and police received\nconsent to search the decoy thief\xe2\x80\x99s apartment and found 10 additional laptop\ncomputers\xe2\x80\x94the Doral laptop was not found in any of the searches. Police\nchecked the laptop serial numbers against information maintained by the National\nCrime Information Center (NCIC) and determined some of them were stolen.\n\n15\n     We took the same preliminary investigative steps with respect to the Orlando laptop, but no useful leads were\n     developed. This is not surprising given that the investigation did not start until 3 and a half months after the theft.\n16\n     We also posted a $10,000 reward and distributed numerous posters announcing that fact. Although we received\n     numerous tips, none of them led to recovery of the Doral laptop or payment of the reward.\n\x0c                                                                              11\n\n\nSubsequent to the arrest, police found a punch tool in the decoy thief\xe2\x80\x99s vehicle.\nWhen interviewed, the decoy thief admitted to using the punch tool to break into\nvehicles and to stealing laptops from vehicles near the restaurant. He did not\nspecifically recall, however, stealing the OIG laptop on July 27.\n\nOn October 5, 2006, the decoy thief was indicted by a Federal grand jury. He\npleaded guilty in U.S. District Court on December 4, 2006, to a single felony\ncharge of theft of Government property (the decoy laptop). He was sentenced to\ntime served and 3 years of supervised probation. However, because he was a\nColombian national in the United States illegally, he was transferred to the\ncustody of U.S. Immigration and Customs Enforcement and deported to\nColombia.\n\nAlso on September 21, 2006, Miami-Dade police interviewed the computer\nbusiness owner. He told the investigators he did not know the laptop computers\nwere stolen, but later admitted that he suspected they were stolen. He said he\nreceived $25 per laptop to load new operating systems (i.e., Microsoft Windows)\nonto the laptops. He specifically admitted to having loaded new operating systems\non the stolen decoy and Hewlett-Packard laptops. He asserted that he did not\nattempt to access data on any laptops prior to loading new operating systems.\nReloading a new operating system would dramatically decrease the likelihood that\na subsequent user of the laptop would be aware of or be able to access the SPII\nthat was stored on it at the time of its theft.\n\nOIG agents interviewed the suspected middleman involved in the theft ring. He\nadmitted to receiving $75 per laptop from the thief and delivering the laptops to\nthe computer business owner who loaded new operating systems for $25 per\nlaptop. He further admitted to having loaded some new operating systems\nhimself. He maintained that he never tried to access data on any laptops prior to\nloading new operating systems. OIG agents and Miami-Dade police detectives\nlocated and interviewed the individual who had been observed breaking into\nvehicles with the decoy thief on September 11, 2006. He admitted to stealing\nlaptop computers from vehicles with the decoy thief.\n\nNone of these four individuals recalled stealing or receiving the Doral laptop.\nHowever, one of them commented that, after seeing the OIG reward posters, he\nand the other suspects joked that they probably had stolen the OIG laptop and\nmissed out on the $10,000 reward. During their interviews, two of the suspects\nprovided additional insight regarding disposal of the stolen laptops. They stated\nthat older laptops were sold locally, often to high school students, while newer,\nhigh-end laptops were shipped to Columbia. One suspect identified a shipping\ncompany he used. They opined that because the OIG laptop stolen on July 27 was\nrelatively old, it was likely sold to a local student.\n\x0c                                                                                                                    12\n\n\nASSESSMENT OF RISK THAT SPII WILL RESULT IN IDENTITY\nTHEFT\nIn a September 19, 2006, memorandum, the President\xe2\x80\x99s Identity Theft Task Force\nprovided guidance for agencies to use in assessing how likely it is that a data\nsecurity breach will result in identity theft and determining whether affected\nindividuals should be notified of the risk. 17 Specifically, the Task Force suggested\nthat agencies consider the following four factors:\n\n     \xe2\x80\xa2 How easy or difficult it would be for an unauthorized person to access the\n       [SPII] in light of the manner in which the [SPII] was protected;\n     \xe2\x80\xa2 The means by which the loss occurred, including whether the incident might\n       be the result of a criminal act or is likely to result in criminal activity;\n     \xe2\x80\xa2 The ability of the agency to mitigate the identity theft; and\n     \xe2\x80\xa2 Evidence that the compromised information is actually being used to commit\n       identity theft.\n\nAs set forth below, the application of these factors suggests that, although there\nwas information on the laptops that could be used to commit identity theft, it is\nunlikely that such theft will occur. Based on our application of this guidance, we\nalso concluded that it was not necessary to notify the additional individuals who\nwere listed in databases that were identified during the subsequent, more detailed\nforensic analysis. The significant factors that led us to this conclusion were (1) the\nlikelihood that the thieves reloaded the laptop\xe2\x80\x99s operating system and sold the\ncomputer on the used market, and (2) the periodic analysis of credit risks being\nperformed under the ID Analytics contract, which will help us to determine if\nthere was an attempt to exploit this data and would allow us to target the\nperpetrators if that took place.\n\n\nTask Force Factor 1: Accessibility of the Data\nBoth of the stolen laptops were password-protected with passwords that were\nconsistent with the standards set by the NIST for systems that store personal\n\n17\n     The President\xe2\x80\x99s memorandum did not use the term \xe2\x80\x9cSPII\xe2\x80\x9d and instead referred to it as \xe2\x80\x9cpersonal information of the\n     type that can result in identity theft.\xe2\x80\x9d The guidelines can be found on the FTC\xe2\x80\x99s website, www.FTC.gov, by clicking\n     on \xe2\x80\x9cFighting Back Against Identity Theft,\xe2\x80\x9d clicking on \xe2\x80\x9cPresident\xe2\x80\x99s Identity Theft Task Force,\xe2\x80\x9d and clicking on\n     \xe2\x80\x9cPresident\xe2\x80\x99s Identity Theft Task Force Summary of Interim Recommendations.\xe2\x80\x9d Currently, it can be directly\n     accessed at: http://www.ftc.gov/os/2006/09/060916interimrecommend.pdf. As these guidelines were not issued until\n     September 19, 2006, we were unable to use them to formulate our initial response. We have, however, followed\n     them with respect to decisions made after September 19, 2006. On May 22, 2007, the Office of Management and\n     Budget issued a memorandum that required agencies to implement the recommendations of the Task Force with\n     respect to \xe2\x80\x9csafeguarding and responding to the breach of personally identifiable information\xe2\x80\x9d within 120 days. This\n     memorandum is available at: http://www.whitehouse.gov/omb/memoranda/fy2007/m07-16.pdf.\n\x0c                                                                                    13\n\n\ninformation. To illustrate, we required that the passwords be at least 8 characters\nin length and contain at least one letter, one number, and one special character. 18\nThe laptops were configured so that the user could not select a password that did\nnot meet these standards. The laptops were also configured to \xe2\x80\x9ctime-out\xe2\x80\x9d after\n30 minutes (i.e., if the computer was not being used for 30 minutes, the user\xe2\x80\x99s\npassword would have to be re-entered to operate the system). This affords some\nprotection, in that a password meeting this standard is relatively difficult to defeat.\n\nIt is possible, however, to gain access to the computer without defeating the\npassword. There are easily obtainable programs that allow a Windows password\nto be reset. Had the data been encrypted, this would not have posed a serious risk\nsince use of these programs renders encrypted data unreadable. Unfortunately, as\npreviously discussed, before the theft, both laptops had been decrypted to allow a\nneeded upgrade to the OIG\xe2\x80\x99s operating system. Consequently, the SPII stored on\nthese laptops was more vulnerable to disclosure if the person stealing the laptops\nwas technically proficient and interested in accessing the data.\n\n\nTask Force Factor 2: How the Loss Occurred\nThe circumstances of the thefts suggest that the laptops were stolen for the value\nof the computers and not for the value of the data. Regarding this issue, the\nPresident\xe2\x80\x99s Task Force on Identity Theft notes:\n\n       For example, as a general matter, the risk of identity theft is greater if the\n       covered information was stolen by a thief who was targeting the data (such as a\n       computer hacker) than if the information was inadvertently left unprotected in\n       a public location, such as in a briefcase in a hotel lobby. Similarly, in some\n       cases of theft, the circumstances might indicate that the data storage device,\n       such as a computer left in a car, rather than the information itself, was the\n       target of the theft.\n\nThe results of our investigation into the Doral, Florida, theft ring confirm that the\nlaptop was stolen for the value of the computer, rather than for the information\nitself. As discussed above, the thieves stated that they would load a new operating\nsystem on the computers and then resell them. This was corroborated by our\nsubsequent forensic analysis of the Government decoy computer. When that\ncomputer was recovered, we determined that a new operating system had been\ninstalled and that the data had not been accessed.\n\nWhile loading a new operating system is unlikely to destroy all existing data, it\ndoes make it invisible to someone who is not actively looking for it. A Windows\noperating system maintains a list of all files stored on the computer\xe2\x80\x99s hard drive.\n\n18\n     Federal Information Processing Standard (FIPS) 112.\n\x0c                                                                                    14\n\n\nRunning a program such as Windows Explorer will generate a list of the files on\nthe hard drive. However, when a new operating system is loaded onto the\ncomputer, the existing file list is erased. This essentially hides the existence of old\ninformation from the new user. As new information is stored on the computer\xe2\x80\x99s\nhard drive, the old data is eventually overwritten.\n\n\nTask Force Factor 3: Ability To Mitigate Possible Identity Theft\nAs noted above, we have contracted with ID Analytics to monitor the SPII\ndatabases on the stolen laptops. ID Analytics analyzes a wide variety of credit\ndata to determine if there is any organized misuse of the SPII data. If such misuse\noccurred, it would provide us with pertinent information regarding the identity of\nboth the victims and the perpetrators. We would then be in a position to notify the\naffected individuals and pursue the perpetrators. Early awareness of identity theft\ncan significantly reduce the harm suffered by the victims. Further, as an agency\nwith law enforcement authority and investigative capabilities, we would\nimmediately coordinate with other law enforcement agencies to apprehend the\npersons seeking to misuse the data.\n\n\nTask Force Factor 4: No Evidence That the Compromised Information\nIs Actually Being Used To Commit Identity Theft\nWhile it is possible that persons planning identity theft could intentionally delay\ntheir attempt to exploit the data, it is significant that it has been 1 year since the\nDoral laptop was stolen, and there has been no evidence of identify theft based on\nthese databases. As of August 21, 2007, ID Analytics has concluded, based on\ncomprehensive expert analysis of credit information relating to the affected\nindividuals, that there has been no organized misuse of these data.\n\nThe reports from ID Analytics are consistent with the information we have\ndeveloped in our own investigation. As noted above, the information concerning\nthe Doral theft was widely distributed through individual letters to most of the\npeople whose SPII was contained in the laptop\xe2\x80\x99s databases and through a posting\non our website. In these notifications, we advised people to contact us if they\nbelieved they were victims of identity theft. As of August 23, 2007, we have\nfinished investigating 38 of 39 complaints and thus far have not found any\nevidence of identity theft stemming from the stolen laptops.\n\n\nFACTORS CONTRIBUTING TO THE LOSS OF SPII\nOur review of the facts and circumstances surrounding the laptop thefts, indicates\nthat the loss of SPII was a combination of three factors: (1) the laptops were not\n\x0c                                                                                                                 15\n\n\nprotected from loss as well as they should have been; (2) the data on the two\nlaptops had been decrypted to allow needed IT upgrades; and (3) SPII was being\nmaintained on laptops, which are inherently more vulnerable than computer\nservers that operate in a secured environment.\n\n\nPhysical Security of the Laptops\nOur examination of the two thefts found that although the OIG agents took some\nprecautions, they could have done more to safeguard the laptops.\n\nPrior to the two laptop thefts, neither DOT nor the OIG had specific policies for\nphysically safeguarding laptop computers removed from an employee\xe2\x80\x99s regularly\nassigned workplace. As a result, it was left to the judgment of the individual\nspecial agents and their supervisors to determine how best to protect the\nequipment and information entrusted to their care. OIG policy required Office of\nInvestigations employees to safeguard any information in their possession and to\nsafeguard files from loss, theft, mutilation, and unauthorized disclosure. 19 OIG\npolicy also directed that laptops should remain \xe2\x80\x9cin the possession of the OIG\nemployee as much as possible.\xe2\x80\x9d 20\n\nIn the Doral incident, the laptop was stolen from an unoccupied Government\nvehicle while the agent was at lunch. While the vehicle was locked, this level of\nphysical protection was not adequate for several reasons. First, the agent had been\ninformed that his laptop had been decrypted and warned to protect the computer\nwhile the data was unencrypted. Second, the agent knew that the vehicle did not\nhave a trunk and was parked in an area of South Florida with a high incidence of\nvehicle break-ins and thefts. Although the vehicle windows were tinted, the laptop\nwas still visible through the back and rear windows. Lastly, the agent was aware\nof the widely publicized theft of the VA data and its consequences.\n\nThese considerations could have led the agent to properly conclude that his laptop,\nwhich contained SPII databases, should not be left unattended in his vehicle. Even\nif the laptop had to be left in the vehicle (i.e., in the event the agent had to quickly\nexit and leave the vicinity of the vehicle), it should have been covered to conceal it\nfrom view.\n\nIn the case of the stolen Orlando laptop, similar considerations apply. While the\nMiami SAC believed that she locked the conference room (she acknowledged that\nshe did not recall specifically checking to ensure that it was locked), the laptop\n\n\n19\n     Operating Procedures Manual (OPM), Part 4 (JI) Chapter 1, Section 2. Similar guidance exists for Office of Audit\n     staff at OPM, Part 2 (JA) Chapter 6: staff is directed to \xe2\x80\x9csafeguard working papers developed during an audit to\n     ensure that they are not lost stolen or altered.\xe2\x80\x9d\n20\n     OPM Part 1 (General and Administrative), Chapter 19, Paragraph 3(a)(2).\n\x0c                                                                                                                 16\n\n\nwas unattended for approximately 45 minutes, and the Miami SAC should have\nanticipated that hotel staff might access the room and fail to re-secure it.\n\nIt also appears that the Miami SAC believed, at the time that her laptop was stolen,\nthat the laptop contained cases files and that the laptop had been decrypted.21\nAccording to a copy of the police report, which we obtained after the Doral theft,\nshe told the police officer that her laptop \xe2\x80\x9ccontained several case files which are\nnot encrypted due to computer conversions at work.\xe2\x80\x9d Believing that the laptop\ncontained sensitive information and that the information was not encrypted should\nhave led the SAC not to leave the laptop unattended.\n\n\nEncryption Capability Disabled at the Time of the Laptop Thefts\nAlthough there was no Office of Management and Budget or DOT requirement to\nencrypt laptop data until August 7, 2006, it had been OIG policy since the OIG\nbegan issuing laptops, that users should store all data in a special folder that was\npre-configured to be encrypted. All documents placed in this folder were\nautomatically encrypted.\n\nIf the databases on the laptops had been encrypted at the time of the thefts, there\nwould have been almost no risk of the data being misused. Unfortunately, we\nbelieve that neither stolen laptop was encrypted at the time of the thefts because of\nan IT upgrade that involved creating an active directory, installing new servers,\nand upgrading server software. This upgrade was needed because the existing\nnetwork was approximately 10 years old and had become obsolete, inefficient, and\nmore vulnerable to security threats.\n\nHad the files been transferred in an encrypted form from the old operating system\nto the new system, the laptop users would have been unable to access these files\nafter the transfer. Consequently, it was necessary to decrypt all files before their\ntransfer. The upgrade plan was to decrypt all the computers, upgrade the various\nOIG offices in Headquarters and field locations in stages, and then simultaneously\nre-encrypt all the computers once all locations had been upgraded. 22 This was\nviewed by the OIG CIO staff as the most efficient method to minimize resource\ndemands and the disruption of day-to-day OIG operations.\n\nDecryption of OIG computers began on March 9, 2006, by running an automated\nprogram on the DOT network. This program automatically decrypted computers\nattached to the network unless the user stopped the process before it was\n\n21\n     Because we were unable to examine the actual laptop, we were unable to determine conclusively whether the laptop\n     had been decrypted.\n22\n     Had some of the files been encrypted and some unencrypted, it would not have been possible for employees whose\n     computer had been upgraded to exchange files with employees whose computer had not been upgraded. The last\n     OIG computers, assigned to our Lakewood, Colorado, office, were upgraded on July 27, 2006.\n\x0c                                                                                                                    17\n\n\ncompleted. Thus, most of the OIG\xe2\x80\x99s computers were decrypted in March 2006.\nHowever, computers assigned to the Miami office were not decrypted at that time\nbecause Miami users accessed the OIG computer system through a Virtual Private\nNetwork (VPN). The nature of the VPN connection prevented those laptops from\nbeing decrypted by the automated program, so significantly more effort and end-\nuser interaction was required to decrypt those laptops. The majority of the Miami\nlaptops, including the Doral laptop, were decrypted on June 23, 2006, with\nassistance from a computer forensic agent who worked in that office. 23\n\nAlthough the OIG CIO office worked diligently to complete the process as quickly\nas possible, given the length of time required to complete the upgrade, we believe\nthat the OIG\xe2\x80\x99s security certification required a more formal risk assessment with\nrespect to the decryption of the laptops for such an extended period. At the time\nthe decryption took place, the OIG Infrastructure Risk Assessment Report\nrecognized that information stored on laptops is less secure and identified\nencryption as the method to address the increased risk. Specifically, the Report\nnoted that, \xe2\x80\x9caccess to encrypted files is controlled by user logon and provides extra\nprotection to ensure the confidentiality and integrity of the data, which may not be\nphysically secured due to the portability of the systems.\xe2\x80\x9d\n\nUnder the Federal Information Security Management Act of 2002 (FISMA),\nagencies are required to continuously monitor their systems and assess whether\nchanges to the system or the environment create any new vulnerabilities. 24\nBecause our Certification and Accreditation specifically identified encryption as a\nsecurity measure employed to reduce the risk of storing sensitive information on\nlaptop computers, the planned decryption of the laptops should have been\nidentified as creating a security risk, especially given that the information would\nremain decrypted for at least several weeks.\n\nThe OIG CIO office advised us that it had assessed the risks associated with\ndecryption. However, that assessment was not recorded in writing or shared with\nOIG senior management or investigations management in the field offices. The\nOIG CIO office did send an e-mail to the Miami investigations staff and other\nVirtual Private Network users in which it described the decryption process and\nadvised them to \xe2\x80\x9cprotect your PCs as files will no longer be encrypted.\xe2\x80\x9d It did not,\nhowever, offer any specific guidance as to how the laptops should be protected,\n\n23\n     Had the Miami SAC\xe2\x80\x99s computer been decrypted at the same time as the rest of her office\xe2\x80\x99s computers, the data\n     stored on it would have been encrypted at the time that laptop was stolen. Unfortunately, we have concluded that it\n     probably was decrypted when the Miami SAC came to Headquarters on March 22 through 24 to prepare for the\n     fraud prevention conference. Because the automated program was running on the OIG computer network, it would\n     have decrypted her computer when she physically connected her laptop to the network unless she stopped the\n     process. Since we have not recovered the laptop, there is no way to determine whether the program successfully\n     decrypted the laptop.\n24\n     NIST Special Publication 800-53A \xe2\x80\x9cGuide for Assessing the Security Controls in Federal Information Systems.\xe2\x80\x9d\n     Chapter 3.4.\n\x0c                                                                                                                 18\n\n\nand those OIG employees who did not have to use a Virtual Private Network\n(VPN) to connect to the network did not receive this warning.\n\nA more formal OIG-wide assessment of potential security risks associated with\nremoving encryption and a discussion of whether compensating security measures\nshould be employed would have been more consistent with OIG\xe2\x80\x99s information\nsecurity certification. Our favorable history with regard to maintaining control\nover laptops may have caused the CIO office to underestimate the risk of laptop\ntheft. Prior to the Orlando theft, we had only lost one laptop. That laptop, which\nwas lost in 2001, had been assigned to an auditor and was determined not to\ncontain any sensitive information. Until the Orlando theft, the Office of\nInvestigations had never lost a laptop. Nevertheless, a formal risk assessment\nwould have given OIG decision makers the opportunity to decide whether these\nrisks were acceptable and whether additional steps were needed to mitigate the\nrisks.\n\nIt should also be noted that the OIG CIO has significant responsibilities in addition\nto Information Resources Management. The OIG CIO also serves as the Chief\nFinancial Officer and as the head of Administration, positions that have their own\ntime-consuming and mission-critical responsibilities. 25 Although we do not\nbelieve that the additional responsibilities contributed to the loss of control over\nSPII, given the increasingly complex and fast-paced demands the OIG faces with\nrespect to effective management of information technology and computer security,\nas well as financial management and general administration, consideration should\nbe given to establishing a separate CIO within OIG whose only responsibilities are\nto manage our information technology program, including information resources\nand computer security. This would be more consistent with best practices, which\ngenerally call for Information Resources Management to be the primary duty of a\nCIO. 26\n\nIt is also true that anyone in OIG management who was familiar with the\nsensitivity of the type of information stored on special agents\xe2\x80\x99 laptops could have\nrecognized the increased vulnerabilities presented by decrypting the information\non the laptops and taken steps to mitigate those risks. Persons in the Office of\nInvestigations who were familiar with the sensitivity of the information stored on\nSpecial Agents\xe2\x80\x99 laptops include the Special Agent in Charge, the Deputy Assistant\nInspector General for Investigations, 27 the Assistant Inspector General for\nInvestigations, and the Acting Inspector General. Had these individuals been\n\n25\n     In 2001, the Deputy Inspector General designated the Chief Financial Officer/Director of Administration, who had\n     qualifications and prior experience as an IT professional, as OIG\xe2\x80\x99s CIO.\n26\n     The Clinger-Cohen Act, 40 U.S.C. 1401(3) requires that larger Federal agencies appoint a CIO with information\n     resources management duties as that official\xe2\x80\x99s primary duty. Although not required, it is also considered a best\n     practice for smaller agencies and agency components.\n27\n     Because OIG\xe2\x80\x99s Office of Investigations was subsequently reorganized, this position no longer exists.\n\x0c                                                                                                                   19\n\n\nmore sensitive to the risks associated with decrypting the laptops used by OIG\nspecial agents, they might have recognized the increased vulnerabilities presented\nby the decryption and taken steps to mitigate those risks. 28\n\n\nSPII Databases Stored on Laptops\nAt the time of the laptop thefts, the OIG, like most Government agencies, did not\nhave specific procedures for handling SPII. It fell within the general category of\nsensitive information to which OIG employees were expected to apply appropriate\njudgment to protect. In the case of special agents, the OIG Operating Procedures\nManual stated, \xe2\x80\x9cAll JI employees must safeguard files from loss, theft, mutilation,\nor unauthorized disclosure.\xe2\x80\x9d 29 OIG procedures also called on special agents to\n\xe2\x80\x9cprevent the accumulation of unnecessary documentation and files.\xe2\x80\x9d\n\nBecause laptops are inherently more vulnerable to theft than computers that\noperate in a secure environment, properly safeguarding files from disclosure\nrequires making judgments about what kind of information can prudently be\nstored on a laptop. Because of the significant damage that can occur from\ndisclosure of SPII, storing SPII databases on laptops is unwise. Unfortunately, our\nspecial agents and their supervisors did not sufficiently recognize the sensitivity of\nthe data or the risk associated with keeping this data on laptop computers.\n\n\nOIG ACTIONS TAKEN TO PREVENT LOSS OF CONTROL OVER\nSPII IN THE FUTURE\nWe determined the factors involved in the loss of control over SPII so that we\ncould focus our efforts to prevent any future occurrences. Our efforts to\naccomplish this have been in four areas: (1) improving physical security of the\nlaptops, (2) encrypting all data and deploying two-factor authentication, (3) storing\nSPII in a more secure fashion, and (4) improving employee awareness to protect\nSPII. 30\n\n\nWe Have Improved Laptop Physical Security\nBoth DOT and the OIG are taking actions to strengthen guidance provided to\nemployees related to the safeguarding of computers and the information contained\n28\n     For example, SACs and special agents could have been advised to take additional precautions, such as removing\n     SPII from the laptops.\n29\n     \xe2\x80\x9cJI\xe2\x80\x9d is the designation used for investigations personnel.\n30\n     By re-encrypting the data and enacting policies regarding the inventory and oversight of sensitive information, we\n     complied with Office of Management and Budget requirements for the protection of sensitive information that took\n     effect on August 7, 2006. The May 22, 2006, memorandum from Office of Management and Budget (M-06-15) is\n     posted on the Internet at www.whitehouse.gov/omb /memoranda/fy2006/m-06-15.pdf.\n\x0c                                                                                                                    20\n\n\non them. We have issued new policies regarding properly securing unattended\nlaptops31 and have issued cable locks to all laptop users. These locks prevent the\nlaptop from being undocked while in the user\xe2\x80\x99s office and provide an effective\nway to secure the laptop while on travel.\n\nIn addition, we have provided all employees with guidance developed by DOT\nregarding the security of portable computers. That guidance includes the\nfollowing:\n\n         When carrying portable computers or portable storage devices while on\n         travel or when working outside of their normal DOT workspace (e.g.,\n         teleworking), employees shall take all reasonable precautions to protect these\n         items against loss or theft. Employees shall not leave computer or portable\n         storage devices unattended and in the open in their homes, hotel rooms,\n         vehicles, places of public transportation, or offices they are visiting. If cable\n         locks are available, they should take them while traveling and use them as\n         necessary to secure portable computers. 32\n\n\nWe Have Encrypted all Data on the Laptops and Implemented Two-\nFactor Authentication on all Laptops\nWe have significantly strengthened the data security on our laptops. All OIG\nlaptops now have their entire hard drive encrypted using a system called\n\xe2\x80\x9cSafeBoot.\xe2\x80\x9d This system uses strong pre-boot user authentication and powerful\nencryption to prevent unauthorized access.\n\nIn addition, all OIG laptops now employ two-factor authentication. In addition to\ntyping in a password, the user has to insert a small token into the laptop\xe2\x80\x99s USB\nport to access data on the laptop. Two-factor authentication significantly reduces\nthe chances that unauthorized persons could access data on the laptop. Even if\nunauthorized persons gained control of the laptop, they would need to both defeat\nthe password and obtain the token before they could access any of the data on the\nlaptop.\n\nTo further ensure that sensitive information is encrypted, OIG users\xe2\x80\x99 computer is\nautomatically checked to determine if the encryption process is functioning as\nintended whenever they log onto the OIG network. If it is not functioning\n\n\n31\n     As an interim measure, while a new policy was being developed, OIG employees were instructed not to leave\n     Government laptops or electronic storage media unattended in vehicles under any circumstances.\n32\n     This guidance was originally developed by DOT in 2000 but was not widely distributed, and copies were not easily\n     obtainable. Following the loss of the Doral laptop, this policy was posted on the DOT Intranet and is referenced in\n     the Implementation of DOT\xe2\x80\x99s Protection of Sensitive Personally Identifiable Information (SPII), which was issued\n     on October 11, 2006.\n\x0c                                                                                 21\n\n\nproperly, the OIG CIO office is notified so that corrective action can be taken\nimmediately.\n\n\nWe Have Begun Storing SPII in a More Secure Fashion\nOn August 7, 2006, the Acting Inspector General directed that all OIG employees\nremove any databases containing SPII from laptops and ensure that all other\nsensitive information is stored in encrypted folders. Each OIG employee was\nrequired to certify compliance with this requirement, and OIG managers were\ninstructed to verify employees\xe2\x80\x99 compliance.\n\nAll databases containing SPII were removed from OIG laptops and either deleted\nif no longer needed or moved to a secure OIG network server. In addition, all\nremaining databases containing SPII were inventoried to enable supervisors to\nmonitor and keep track of this sensitive information. Sensitive information will be\nperiodically reviewed and removed when no longer needed.\n\nBecause the only computers assigned to most special agents and most other OIG\nemployees are laptops, each user has been assigned a \xe2\x80\x9chome drive\xe2\x80\x9d on a network\nserver that can be used to store sensitive information. This drive is physically\nlocated on a non-portable server that operates in a secure environment but allows\naccess only to the specific user.\n\n\nWe Have Increased Employee Awareness of the Need To Protect SPII\nOn August 2, 2006, the OIG CIO circulated to all OIG employees a message from\nthe DOT CIO reminding all DOT employees and contractors about the importance\nof safeguarding SPII. The Acting Inspector General held an all-OIG employee\nweb cast on August 14, 2006, to reinforce requirements for safeguarding\ninformation on computer hardware and storage media.\n\nIn addition, to reinforce awareness of departmental security polices, during August\n2006, all OIG employees were directed to re-certify that they had read and\nunderstood departmental guidance on safeguarding information and computer\nsecurity. Employees were also required to complete DOT\xe2\x80\x99s on-line Privacy Act\nAwareness Training course emphasizing the importance of protecting information\nand the proper techniques for handling personal information. OIG employees\ncompleted these actions by August 30, 2006.\n\nIn connection with the implementation of the SafeBoot system, all laptop users\nwere required to review a guide that outlines the use of the locks and stresses the\nimportance of protecting laptop data. In addition, all laptop users were required to\nwatch a training video that illustrates the various ways in which laptops can be\n\x0c                                                                                  22\n\n\nstolen and highlights the significant damage that an organization can suffer when\nit loses control of a laptop computer.\n\n\nCONCLUSIONS AND RECOMMENDATIONS\nThe loss of control over the SPII databases had three primary causes:\n\n \xe2\x80\xa2 Inadequate protection of laptops by OIG employees;\n \xe2\x80\xa2 Our removal of encryption from sensitive data during a system upgrade; and\n \xe2\x80\xa2 Our storage of SPII on laptops, which are inherently less secure than desktops\n   or servers that remain in a secure operating environment.\n\nWhile these causes involved various individuals and circumstances, they were all a\nconsequence of an insufficient emphasis on protecting sensitive information from\nloss. Like many other agencies, our security focused more on safeguarding\nphysical property rather than information. Given the rise in identity theft and\nother misuse of personal information, the variety of information that is collected\nby the Government and private parties, and the amount of information that can\nnow be stored on easily portable devices, this mindset cannot continue.\n\nWhile it is unlikely that any of the lost SPII will be misused, approximately\n138,000 people were exposed to an unacceptably high risk that their personal\ninformation would be improperly disclosed and possibly misused. Given the\nseverity of the personal and financial disruption that victims of identity theft\nsuffer, creating this level of risk is unacceptable.\n\nThis failure to adapt to the new demands created by changes in information\ntechnology is not limited to our office. Very few Government agencies had\npolicies relating to the treatment of SPII at the time of the VA theft, and very few\nrequired encryption of sensitive data stored on laptops. Current Office of\nManagement and Budget policies on this subject were drafted in the wake of the\nVA theft, and the requirement that agencies encrypt all sensitive data stored on\nmobile computers and other mobile devices did not take effect until August 7,\n2006.\n\nIt is impossible to completely eliminate the risk that an agency will lose control of\nsensitive data. There is, for example, no way to eliminate the possibility that a\ntrusted employee with access to sensitive data will disregard agency policy and\nrecklessly or intentionally expose sensitive information to improper disclosure.\nEnsuring that these changes do in fact result in increased protection of SPII will\nrequire the continued involvement of OIG senior management. Specifically, OIG\nsenior management must:\n\x0c                                                                              23\n\n\n1.) Evaluate the effectiveness of recent OIG improvements, such as installing the\n    SafeBoot encryption software, using two-factor authentication, deploying\n    cable locks, and providing each OIG employee with a home drive on the\n    network;\n\n2.) Ensure that both new employees and existing employees receive adequate\n    privacy awareness training.\n\n3.) Perform periodic reviews of data stored on OIG laptops and document\n    compliance with policies regarding the storage of SPII and other sensitive\n    data; and\n\n4.) Consider separating the CIO and CFO/Administrative functions, so that one\n    senior OIG management official will have information resources\n    management as their primary responsibility.\n\n\n\n                                      #\n\x0c'